From patchwork Thu Nov 21 18:15:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11256783 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1CE0E14DB for ; Thu, 21 Nov 2019 18:15:51 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 417B7206CC for ; Thu, 21 Nov 2019 18:15:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="nANVur5k" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 417B7206CC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17415-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 30200 invoked by uid 550); 21 Nov 2019 18:15:43 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 29993 invoked from network); 21 Nov 2019 18:15:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ccHak5xmnouFPda/AWVo/lGwU/xGWHbS5K0BgsHuUQE=; b=nANVur5kLJlbf+6u+7VUDkKEjaiMC2PFH5e24iCf0pYkdwHtQD0NWweCruV4r8kb3e CcjwoSrV0Dgahhol5DLONFuh3LbyzNHH/0qWrI0YQ6vdFVp6rmeUdhnvVjKuUR2ff46N 6iIMYjQf4aJWK8+XkAl07Qtt4SskGL3F5TRZU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ccHak5xmnouFPda/AWVo/lGwU/xGWHbS5K0BgsHuUQE=; b=alSDSixBRJB38ANaK4SCKzJlYXftD8pgAwcY6C2NLYZE8fYmroezvttdViu7Hy9a1v HbzIGltVJt51ftd8vVbdUHFabtwnoya2qlpIc8xMckAX3lcFIcXv4lL+3b7sxQ4m8E7V WuDfwDCg3JBZYyQp686SqXpHadNaXIxX37eG6lg89SfmT2MzGpI+oWOUKhMuGVKuWWVe ivH0FBfAHSuohmBf7XNsOr/tG7SwmsPJaJqBj19acx+xcXR5z6JKSRQyYkw079PwB49X CVtktBxOABBwWeXTl5YZXxQtxCJKpcLAFM1+FXe7lap11/DwB0sdLxqG6psZ5ubFids0 82sg== X-Gm-Message-State: APjAAAUqrWTiTxhWiRLOtl2xgIM0Hxd0wgKXsQxcT38sD7wQDbLFOop9 8t27GEvuV6p6BzEXLIiNQFnetw== X-Google-Smtp-Source: APXvYqxBltaVztxF8obBvw++HqCE/1IaQdeMeweeYTlarHq2vfh1pumYJ2FFNKeqzOLaoVxRGNOQMw== X-Received: by 2002:a63:535c:: with SMTP id t28mr11108812pgl.173.1574360129873; Thu, 21 Nov 2019 10:15:29 -0800 (PST) From: Kees Cook To: Andrew Morton Cc: Kees Cook , Andrey Ryabinin , Elena Petrova , Alexander Potapenko , Dmitry Vyukov , Linus Torvalds , Dan Carpenter , "Gustavo A. R. Silva" , Arnd Bergmann , Ard Biesheuvel , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH v2 1/3] ubsan: Add trap instrumentation option Date: Thu, 21 Nov 2019 10:15:17 -0800 Message-Id: <20191121181519.28637-2-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191121181519.28637-1-keescook@chromium.org> References: <20191121181519.28637-1-keescook@chromium.org> The Undefined Behavior Sanitizer can operate in two modes: warning reporting mode via lib/ubsan.c handler calls, or trap mode, which uses __builtin_trap() as the handler. Using lib/ubsan.c means the kernel image is about 5% larger (due to all the debugging text and reporting structures to capture details about the warning conditions). Using the trap mode, the image size changes are much smaller, though at the loss of the "warning only" mode. In order to give greater flexibility to system builders that want minimal changes to image size and are prepared to deal with kernel code being aborted and potentially destabilizing the system, this introduces CONFIG_UBSAN_TRAP. The resulting image sizes comparison: text data bss dec hex filename 19533663 6183037 18554956 44271656 2a38828 vmlinux.stock 19991849 7618513 18874448 46484810 2c54d4a vmlinux.ubsan 19712181 6284181 18366540 44362902 2a4ec96 vmlinux.ubsan-trap CONFIG_UBSAN=y: image +4.8% (text +2.3%, data +18.9%) CONFIG_UBSAN_TRAP=y: image +0.2% (text +0.9%, data +1.6%) Additionally adjusts the CONFIG_UBSAN Kconfig help for clarity and removes the mention of non-existing boot param "ubsan_handle". Suggested-by: Elena Petrova Signed-off-by: Kees Cook --- lib/Kconfig.ubsan | 22 ++++++++++++++++++---- lib/Makefile | 2 ++ scripts/Makefile.ubsan | 9 +++++++-- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 0e04fcb3ab3d..9deb655838b0 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -5,11 +5,25 @@ config ARCH_HAS_UBSAN_SANITIZE_ALL config UBSAN bool "Undefined behaviour sanity checker" help - This option enables undefined behaviour sanity checker + This option enables the Undefined Behaviour sanity checker. Compile-time instrumentation is used to detect various undefined - behaviours in runtime. Various types of checks may be enabled - via boot parameter ubsan_handle - (see: Documentation/dev-tools/ubsan.rst). + behaviours at runtime. For more details, see: + Documentation/dev-tools/ubsan.rst + +config UBSAN_TRAP + bool "On Sanitizer warnings, abort the running kernel code" + depends on UBSAN + depends on $(cc-option, -fsanitize-undefined-trap-on-error) + help + Building kernels with Sanitizer features enabled tends to grow + the kernel size by around 5%, due to adding all the debugging + text on failure paths. To avoid this, Sanitizer instrumentation + can just issue a trap. This reduces the kernel size overhead but + turns all warnings (including potentially harmless conditions) + into full exceptions that abort the running kernel code + (regardless of context, locks held, etc), which may destabilize + the system. For some system builders this is an acceptable + trade-off. config UBSAN_SANITIZE_ALL bool "Enable instrumentation for the entire kernel" diff --git a/lib/Makefile b/lib/Makefile index c5892807e06f..bc498bf0f52d 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -272,7 +272,9 @@ quiet_cmd_build_OID_registry = GEN $@ clean-files += oid_registry_data.c obj-$(CONFIG_UCS2_STRING) += ucs2_string.o +ifneq ($(CONFIG_UBSAN_TRAP),y) obj-$(CONFIG_UBSAN) += ubsan.o +endif UBSAN_SANITIZE_ubsan.o := n KASAN_SANITIZE_ubsan.o := n diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 019771b845c5..668a91510bfe 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -1,5 +1,10 @@ # SPDX-License-Identifier: GPL-2.0 ifdef CONFIG_UBSAN + +ifdef CONFIG_UBSAN_ALIGNMENT + CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment) +endif + CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift) CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero) CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable) @@ -9,8 +14,8 @@ ifdef CONFIG_UBSAN CFLAGS_UBSAN += $(call cc-option, -fsanitize=bool) CFLAGS_UBSAN += $(call cc-option, -fsanitize=enum) -ifdef CONFIG_UBSAN_ALIGNMENT - CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment) +ifdef CONFIG_UBSAN_TRAP + CFLAGS_UBSAN += $(call cc-option, -fsanitize-undefined-trap-on-error) endif # -fsanitize=* options makes GCC less smart than usual and From patchwork Thu Nov 21 18:15:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11256789 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2D50314DB for ; Thu, 21 Nov 2019 18:15:58 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 7AB01206CB for ; Thu, 21 Nov 2019 18:15:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="KrN4zpR8" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7AB01206CB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17416-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 30322 invoked by uid 550); 21 Nov 2019 18:15:43 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 30035 invoked from network); 21 Nov 2019 18:15:42 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=JQs/4UxemMcGCjHZn4niB7nA1rMhXtjAz7kJK3AjL7E=; b=KrN4zpR8IEwpUQr4jn2KWwjZqUoeisnx3Am9Bp+lgiRIdx5345vx29iTTUFknjeFFQ Rj9A+pMLGH7kZeXTTYnjwo6xAzbqdCNRhagoYp/K8ogsyNX8Xx9jAt66FmI5COUA2UiY gHkW3zyflbmt4IHuKfJMdE/2YCaQqpLZhk71I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=JQs/4UxemMcGCjHZn4niB7nA1rMhXtjAz7kJK3AjL7E=; b=Wlakjf47LX+gtGuiG4YMfrh9EClE+osCBpBQq5BSgqqNDp5i2y78bOt7hu0aN515ut KHWNPGAGHegC5DiaODEYgJ2gts6xfm0XmmFD26dU2VNPaW9lhQoWXKB0xL1Z3v6TRwHs kOy6Wmi5sF7+//LQerHaKIWyl4SclGOEePZGpinP2lyersEhvmGRVV/g0k/qh2BPlv4B aSiYoel5FukYPDYc9OAX2ZiaISWjC8C8VvaHKuTMfbnzvh7aedm9pVGA+ANv1V/dLGCu zAR2C/v3cZRvJnuBAZxM1q82ILczMldRYCnSqB/JKySrGPjVtnS/XJm2CDR/dr677jH8 vO/g== X-Gm-Message-State: APjAAAX1z0FksCX07UtUmZU4V7uskh0lhWVrCc7UKsHhAbQ4u4lszLyE V5Ku3PnPqRHrhxLswzv59MguZw== X-Google-Smtp-Source: APXvYqwbG0mlD3ppkkL3k31yuwYGe/H5GA3+ceT+WKtRCMUFj+fEDoGxidbBeBr46DZ2WJ27O5jcgg== X-Received: by 2002:a65:66c7:: with SMTP id c7mr10861530pgw.407.1574360130724; Thu, 21 Nov 2019 10:15:30 -0800 (PST) From: Kees Cook To: Andrew Morton Cc: Kees Cook , Andrey Ryabinin , Elena Petrova , Alexander Potapenko , Dmitry Vyukov , Linus Torvalds , Dan Carpenter , "Gustavo A. R. Silva" , Arnd Bergmann , Ard Biesheuvel , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH v2 2/3] ubsan: Split "bounds" checker from other options Date: Thu, 21 Nov 2019 10:15:18 -0800 Message-Id: <20191121181519.28637-3-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191121181519.28637-1-keescook@chromium.org> References: <20191121181519.28637-1-keescook@chromium.org> In order to do kernel builds with the bounds checker individually available, introduce CONFIG_UBSAN_BOUNDS, with the remaining options under CONFIG_UBSAN_MISC. For example, using this, we can start to expand the coverage syzkaller is providing. Right now, all of UBSan is disabled for syzbot builds because taken as a whole, it is too noisy. This will let us focus on one feature at a time. For the bounds checker specifically, this provides a mechanism to eliminate an entire class of array overflows with close to zero performance overhead (I cannot measure a difference). In my (mostly) defconfig, enabling bounds checking adds ~4200 checks to the kernel. Performance changes are in the noise, likely due to the branch predictors optimizing for the non-fail path. Some notes on the bounds checker: - it does not instrument {mem,str}*()-family functions, it only instruments direct indexed accesses (e.g. "foo[i]"). Dealing with the {mem,str}*()-family functions is a work-in-progress around CONFIG_FORTIFY_SOURCE[1]. - it ignores flexible array members, including the very old single byte (e.g. "int foo[1];") declarations. (Note that GCC's implementation appears to ignore _all_ trailing arrays, but Clang only ignores empty, 0, and 1 byte arrays[2].) [1] https://github.com/KSPP/linux/issues/6 [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92589 Suggested-by: Elena Petrova Signed-off-by: Kees Cook Reviewed-by: Andrey Ryabinin --- lib/Kconfig.ubsan | 20 ++++++++++++++++++++ scripts/Makefile.ubsan | 7 ++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 9deb655838b0..9b9f76d1a3f7 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -25,6 +25,26 @@ config UBSAN_TRAP the system. For some system builders this is an acceptable trade-off. +config UBSAN_BOUNDS + bool "Perform array index bounds checking" + depends on UBSAN + default UBSAN + help + This option enables detection of directly indexed out of bounds + array accesses, where the array size is known at compile time. + Note that this does not protect array overflows via bad calls + to the {str,mem}*cpy() family of functions (that is addressed + by CONFIG_FORTIFY_SOURCE). + +config UBSAN_MISC + bool "Enable all other Undefined Behavior sanity checks" + depends on UBSAN + default UBSAN + help + This option enables all sanity checks that don't have their + own Kconfig options. Disable this if you only want to have + individually selected checks. + config UBSAN_SANITIZE_ALL bool "Enable instrumentation for the entire kernel" depends on UBSAN diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 668a91510bfe..5b15bc425ec9 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -5,14 +5,19 @@ ifdef CONFIG_UBSAN_ALIGNMENT CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment) endif +ifdef CONFIG_UBSAN_BOUNDS + CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) +endif + +ifdef CONFIG_UBSAN_MISC CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift) CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero) CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable) CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow) - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size) CFLAGS_UBSAN += $(call cc-option, -fsanitize=bool) CFLAGS_UBSAN += $(call cc-option, -fsanitize=enum) +endif ifdef CONFIG_UBSAN_TRAP CFLAGS_UBSAN += $(call cc-option, -fsanitize-undefined-trap-on-error) From patchwork Thu Nov 21 18:15:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11256795 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 537A9930 for ; Thu, 21 Nov 2019 18:16:06 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id A8B50206CB for ; Thu, 21 Nov 2019 18:16:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="AUOvfPWM" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A8B50206CB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17417-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 30406 invoked by uid 550); 21 Nov 2019 18:15:45 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 30208 invoked from network); 21 Nov 2019 18:15:43 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=0T61AzxnAvwa4rB+CZumfDDidufAJnp+U8GPCQMxTB4=; b=AUOvfPWMFq4respwzA0a7ruKECsyXNc2uFyzNEbqSnofRJKhfkixrJJ0M+DfKvrJxy OyeHQu1ARk/u7CyYkgiVLfxU9mPHkRpyTfW0lX3RFQNpV30KQ8mB5qjnK2AK8Db4f/BI V7fIe1AlaR3RbttdT03b1f/4luN3yqTzQl3gs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0T61AzxnAvwa4rB+CZumfDDidufAJnp+U8GPCQMxTB4=; b=Lo665/+i/yLVHwEwpbeMeRmPEwOSMrYCWh/oOdksNHJ88mn16bZT2wW4xgNeFmPnY4 GpNagMCEVk9U1qzlnQsAYR3OCTW+jQ4oWuBKiE+Envl3fsVCzcuIWiFXbtuxgIZm3uBF 7OqrvJlSllQdaq6LpT1ckS0K11uFWYwCWPd/Sxr3j8tujil4cZRA+Lse1ig68fA+AQ0V cUg5CP9vUp1hxlNhGYBzSwcHgaltQdwo96bf7TcFdHNN994PU0XbQooI/+3XWeWGBMAJ MKI5PKrfhX2+QlBXxQcVNJF7tYEOFnrlB76zd75tqPyu/uAamdEGyri1Am3ZmDBbc0G0 nJ1Q== X-Gm-Message-State: APjAAAUulcKv30ZN4sQVaADrD5yXk4agCfcgDBYcCTUc7aZv24LErBR1 RwbK7teiD7RPyInpzo1xHl7mnw== X-Google-Smtp-Source: APXvYqwYaxQm1EsXEJba84FDgOq6w11jd48NYQ2iAFZdb0g9WHYhwZWRGHcjD+YTLE62j1VjOIgDnw== X-Received: by 2002:a17:90a:3d01:: with SMTP id h1mr13598717pjc.15.1574360131608; Thu, 21 Nov 2019 10:15:31 -0800 (PST) From: Kees Cook To: Andrew Morton Cc: Kees Cook , Andrey Ryabinin , Elena Petrova , Alexander Potapenko , Dmitry Vyukov , Linus Torvalds , Dan Carpenter , "Gustavo A. R. Silva" , Arnd Bergmann , Ard Biesheuvel , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH v2 3/3] lkdtm/bugs: Add arithmetic overflow and array bounds checks Date: Thu, 21 Nov 2019 10:15:19 -0800 Message-Id: <20191121181519.28637-4-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191121181519.28637-1-keescook@chromium.org> References: <20191121181519.28637-1-keescook@chromium.org> Adds LKDTM tests for arithmetic overflow (both signed and unsigned), as well as array bounds checking. Signed-off-by: Kees Cook --- drivers/misc/lkdtm/bugs.c | 75 ++++++++++++++++++++++++++++++++++++++ drivers/misc/lkdtm/core.c | 3 ++ drivers/misc/lkdtm/lkdtm.h | 3 ++ 3 files changed, 81 insertions(+) diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index 7284a22b1a09..8b4ef30f53c6 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -11,6 +11,7 @@ #include #include #include +#include struct lkdtm_list { struct list_head node; @@ -171,6 +172,80 @@ void lkdtm_HUNG_TASK(void) schedule(); } +volatile unsigned int huge = INT_MAX - 2; +volatile unsigned int ignored; + +void lkdtm_OVERFLOW_SIGNED(void) +{ + int value; + + value = huge; + pr_info("Normal signed addition ...\n"); + value += 1; + ignored = value; + + pr_info("Overflowing signed addition ...\n"); + value += 4; + ignored = value; +} + + +void lkdtm_OVERFLOW_UNSIGNED(void) +{ + unsigned int value; + + value = huge; + pr_info("Normal unsigned addition ...\n"); + value += 1; + ignored = value; + + pr_info("Overflowing unsigned addition ...\n"); + value += 4; + ignored = value; +} + +/* Intentially using old-style flex array definition of 1 byte. */ +struct array_bounds_flex_array { + int one; + int two; + char data[1]; +}; + +struct array_bounds { + int one; + int two; + char data[8]; + int three; +}; + +void lkdtm_ARRAY_BOUNDS(void) +{ + struct array_bounds_flex_array *not_checked; + struct array_bounds *checked; + int i; + + not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL); + checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL); + + pr_info("Array access within bounds ...\n"); + /* For both, touch all bytes in the actual member size. */ + for (i = 0; i < sizeof(checked->data); i++) + checked->data[i] = 'A'; + /* + * For the uninstrumented flex array member, also touch 1 byte + * beyond to verify it is correctly uninstrumented. + */ + for (i = 0; i < sizeof(not_checked->data) + 1; i++) + not_checked->data[i] = 'A'; + + pr_info("Array access beyond bounds ...\n"); + for (i = 0; i < sizeof(checked->data) + 1; i++) + checked->data[i] = 'B'; + + kfree(not_checked); + kfree(checked); +} + void lkdtm_CORRUPT_LIST_ADD(void) { /* diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index cbc4c9045a99..25879f7b0768 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -129,6 +129,9 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(HARDLOCKUP), CRASHTYPE(SPINLOCKUP), CRASHTYPE(HUNG_TASK), + CRASHTYPE(OVERFLOW_SIGNED), + CRASHTYPE(OVERFLOW_UNSIGNED), + CRASHTYPE(ARRAY_BOUNDS), CRASHTYPE(EXEC_DATA), CRASHTYPE(EXEC_STACK), CRASHTYPE(EXEC_KMALLOC), diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index ab446e0bde97..2cd0c5031eea 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -22,6 +22,9 @@ void lkdtm_SOFTLOCKUP(void); void lkdtm_HARDLOCKUP(void); void lkdtm_SPINLOCKUP(void); void lkdtm_HUNG_TASK(void); +void lkdtm_OVERFLOW_SIGNED(void); +void lkdtm_OVERFLOW_UNSIGNED(void); +void lkdtm_ARRAY_BOUNDS(void); void lkdtm_CORRUPT_LIST_ADD(void); void lkdtm_CORRUPT_LIST_DEL(void); void lkdtm_CORRUPT_USER_DS(void);